FileStatements

From SELinux Wiki

Contents

There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below.

The filesystem identifiers (fs_name) used by these statements are defined by the SELinux teams who are responsible for their development, the policy writer then uses those needed to be supported by the policy.

A security context is defined by these filesystem labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section.

The fs_use_xattr statement is used to allocate a security context to filesystems that support the extended attribute security.selinux. The labeling is persistent for filesystems that support these extended attributes, and the security context is added to these files (and directories) by the SELinux commands such as setfiles as explained in the Labeling Extended Attribute Filesystems section.

# These statements define the file systems that support pseudo
# filesystems that represent objects like pipes and sockets, so
# that these objects are labeled with the same type as the creating task.
#
fs_use_task eventpollfs system_u:object_r:fs_t:s0;
fs_use_task pipefs system_u:object_r:fs_t:s0;
fs_use_task sockfs system_u:object_r:fs_t:s0;

The fs_use_trans statement is used to allocate a security context to pseudo filesystems such as pseudo terminals and temporary objects. The assigned context is derived from the creating process and that of the filesystem type based on transition rules.

The genfscon statement is used to allocate a security context to filesystems that cannot support any of the other file labeling statements (fs_use_xattr, fs_use_task or fs_use_trans). Generally a filesystem would have a single default security context assigned by genfscon from the root (/) that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc filesystem, where directories can be labeled with a specific security context (as shown in the examples). Note that there is no terminating semi-colon (;) on this statement.

The statement definition is:

genfscon fs_name partial_path fs_context

Where:

genfscon

The genfscon keyword.

fs_name

The filesystem name.

partial_path

If fs_name is proc, then the partial path (see the examples). For all other types, this must be '/'.

# The following examples show those filesystems that only
# support a single security context across the filesystem
# with the MLS levels added.
genfscon msdos / system_u:object_r:dosfs_t:s0
genfscon iso9660 / system_u:object_r:iso9660_t:s0
genfscon usbfs / system_u:object_r:usbfs_t:s0
genfscon selinuxfs / system_u:object_r:security_t:s0